Implement/test "fail-open" option
A new feature has recently been introduced in NFQUEUE. It is possible to accept packets when the queue is full. This could be useful in Suricata when admin wants to privilege network behavior over security.
More information and patch: http://www.digipedia.pl/usenet/thread/16261/26536/
Updated by Eric Leblond over 7 years ago
I've implemented this and tested it using latest Linux git and latest libnetfilter_queue git. And it works:
# scp on lo with MTU at 100 # With fail-open root@test-squeeze:~# scp linux-image-3.*deb localhost:/tmp linux-image-3.3.0-rc3noct+_3.3.0-rc3noct+-10.00.Custom_amd64.deb 100% 31MB 3.5MB/s 00:09 linux-image-3.6.0-rc1-netfilter+_3.6.0-rc1-netfilter+-10.00.Custom_amd64.deb 100% 30MB 3.3MB/s 00:09 # Without fail-open root@test-squeeze:~# scp linux-image-3.*deb localhost:/tmp linux-image-3.3.0-rc3noct+_3.3.0-rc3noct+-10.00.Custom_amd64.deb 100% 31MB 504.7KB/s 01:03 linux-image-3.6.0-rc1-netfilter+_3.6.0-rc1-netfilter+-10.00.Custom_amd64.deb 100% 30MB 513.6KB/s 00:59
The attached patch is the implementation.
Please note, there is no possibility to detect that the feature is not available in kernel.